cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

Analysis

max time kernel
174s
max time network
195s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
Size

802KB
MD5

102c9d8d99c9f453053d1f49620df11f
SHA1

47ab2f2f660832e3a38f6dee882431a5a2404729
SHA256

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27
SHA512

adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e
SSDEEP

12288:FgORozerFqm6tU2L6kwt0Z9YlU+iyKAqYpBuT+ZlI4O3dRvUC8yr3e9JKjv6JfPf:FZRFxVYJL7jYlU3vAqYphHcLmwCdSRkj

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

kwrsnmf.exekwrsnmf.exe

pid process

3032 kwrsnmf.exe
2224 kwrsnmf.exe

pid	process
3032	kwrsnmf.exe
2224	kwrsnmf.exe

Loads dropped DLL 8 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exekwrsnmf.exe

pid	process
4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
3032	kwrsnmf.exe
3032	kwrsnmf.exe
3032	kwrsnmf.exe
3032	kwrsnmf.exe

Drops file in System32 directory 1 IoCs

Processes:

kwrsnmf.exe

description ioc process

File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-FIRST.txt kwrsnmf.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\READ-ME-FIRST.txt	kwrsnmf.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exekwrsnmf.exe

description	pid	process	target process
PID 4500 set thread context of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 3032 set thread context of 2224	3032	kwrsnmf.exe	kwrsnmf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exekwrsnmf.exe

pid	process
884	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
884	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
2224	kwrsnmf.exe
2224	kwrsnmf.exe
2224	kwrsnmf.exe
2224	kwrsnmf.exe
2224	kwrsnmf.exe
2224	kwrsnmf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kwrsnmf.exe

description pid process

Token: SeDebugPrivilege 2224 kwrsnmf.exe

description	pid	process
Token: SeDebugPrivilege	2224	kwrsnmf.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exekwrsnmf.exekwrsnmf.exe

description	pid	process	target process
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 4500 wrote to memory of 884	4500	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe	cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 3032 wrote to memory of 2224	3032	kwrsnmf.exe	kwrsnmf.exe
PID 2224 wrote to memory of 792	2224	kwrsnmf.exe	svchost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
"C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4500

C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe
"C:\Users\Admin\AppData\Local\Temp\cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
"C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsHolographicDevices\miylefa
Filesize
654B

MD5
d7bc6a33d8fd7dcf4cd6228439c231a0

SHA1
20d6dfe7e232544d56215c3270251d140a2f7dbf

SHA256
ee00242c4f5030bc42e60497d7304c6317e97dcbff3cb10e05bb2e44e71d7002

SHA512
8d8acad1a9ecbd2a23e94421fbe1651d4bb22ed7f4f1c28a400723e66bfb38b475cc6da978833bb47ec91b4a6294cf36e922684e23412ce46c541443e24abd51

Download Submit
C:\ProgramData\WindowsHolographicDevices\miylefa
Filesize
654B

MD5
d7bc6a33d8fd7dcf4cd6228439c231a0

SHA1
20d6dfe7e232544d56215c3270251d140a2f7dbf

SHA256
ee00242c4f5030bc42e60497d7304c6317e97dcbff3cb10e05bb2e44e71d7002

SHA512
8d8acad1a9ecbd2a23e94421fbe1651d4bb22ed7f4f1c28a400723e66bfb38b475cc6da978833bb47ec91b4a6294cf36e922684e23412ce46c541443e24abd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwrsnmf.exe
Filesize
802KB

MD5
102c9d8d99c9f453053d1f49620df11f

SHA1
47ab2f2f660832e3a38f6dee882431a5a2404729

SHA256
cdaf240960ef6c5d9b81b9843bafaa56700e8fa848dca85cb401061d22f5ec27

SHA512
adbe66cb6be6cbc082cda769caed32bd8bd8c514dfc229c54ea173385cfa4ff713b60327f550e27229732f2c1382e0038fe40c8ba16a5d0f5d44314a3a70a04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm32BA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm32BA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm32BA.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm32BA.tmp\coelenterates.dll
Filesize
382KB

MD5
f2ce2e755d4f18546550ae4a7f2a6626

SHA1
2d4c874c00dc8006a75bd8e700d77952a08d101f

SHA256
aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7

SHA512
5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855

Download Submit
C:\Windows\Temp\nsz397.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Windows\Temp\nsz397.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Windows\Temp\nsz397.tmp\UserInfo.dll
Filesize
4KB

MD5
d9a3fc12d56726dde60c1ead1df366f7

SHA1
f531768159c14f07ac896437445652b33750a237

SHA256
401f1a02000ff7cf9853d964dcba77e6f0fa8e57256b11ed3c01171d7a97388a

SHA512
6b06e3446df419151dd20cdb1d9c595fe9fb0972e7dfc50dadeea9f868d8ef0cd4cefcb18c7ebfc0d2a3e9171f8aa1f9fe762f54c374667f6060e8ce7e845f51

Download Submit
C:\Windows\Temp\nsz397.tmp\coelenterates.dll
Filesize
382KB

MD5
f2ce2e755d4f18546550ae4a7f2a6626

SHA1
2d4c874c00dc8006a75bd8e700d77952a08d101f

SHA256
aa237a70b8b8c08f00bb26fa5c9529b2a41e20222c18d40244459baad2fed3c7

SHA512
5cb452aaf18ee58bb49fd03581c58f8edd5d9c9c087f95b29638069c6fa5ea08999fc29bee8c95d3f346e979a9fa42f59a01e41f1019c5ea58725ef2567e9855

Download Submit
memory/792-154-0x0000000018B40000-0x0000000018BB7000-memory.dmp

Filesize
476KB

Download
memory/884-137-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/884-141-0x0000000000400000-0x00000000004A4600-memory.dmp

Filesize
657KB

Download
memory/884-140-0x0000000000970000-0x0000000000BBB000-memory.dmp

Filesize
2.3MB

Download
memory/884-139-0x0000000000750000-0x000000000096A000-memory.dmp

Filesize
2.1MB

Download
memory/884-136-0x0000000000000000-mapping.dmp

Download
memory/2224-148-0x0000000000000000-mapping.dmp

Download
memory/2224-153-0x0000000000A50000-0x0000000000C9B000-memory.dmp

Filesize
2.3MB

Download